Binary packages for i686 and amd64

Debian packages is I think most popular way of distributing binaries, so I've debootstrap Ubuntu Lucid distribution and prepared one for you. It's built for lucid, but it should work with any Debian or Ubuntu distribution (if not please give me a note!)

It's compilated to use /usr/local prefix!
If you have any wireshark installed in /usr/ remember to explicit run /usr/local/bin/wireshark

Compiling wireshark with plugins

If you're (un)lucky and you use not .deb packages or other system architecture, you need to compile your own version of wireshark.
To make your life a little easier I've prepared get-wireshark.sh script (also in git repository) which will help to do this

But before you use get-wireshark.sh you need to install some dependencies.
Building wireshark requires dependencies listed on wiki page: http://wiki.wireshark.org/Development
Dependencies for plugins are listed below

Newer version of get-wireshark.sh support building only specific plugin(s)
Example usages:

Compile only wireviz plugin
./get-wireshark.sh clean wireviz

Compile only plugins created during gsoc:
./get-wireshark.sh clean gsoc

Wireshnork

Dependencies: Configured snort (plugin tested with: snort-2.8.6, snort-2.9.0.5)Functionality: Support to filter snort alerts in WiresharkFeatures: you can use new display filters:

snort - Filter packets with snort alert

snort.sid - SID of rule which generated alert

snort.generator - Generator of rule which generated alert

snort.rev - Revision of rule which generated alert

snort.msg - Alert message

snort.class - Alert class

snort.priority - Alert priority

Configuration:

Configuration Filename - The name of the file containing the snort IDS configurationDefault: /etc/snort/snort.conf

Try to synchronize communication with snort [ms] - This option pass extra -v (verbose) option to snort. It makes snort and WireShnort plugin a little slower. Enabling this option is *REQUIRED* for one pass tsharkDefault: 100

NOTEs:

It works only for frames encapsulated in ethernet when all frames in capture files has the same encapsulation (snort don't support pcap-ng file format).

BUGs:

Capture size is limited to 1'000'000 frames

WireshAV

Dependencies: libclamav, and optionally clamd (Tested with: clamav-0.97)Functionality: Get files transferred over: mails, HTTP, samba and scan them with antivirus.Features: you can use new display filters:

av - Display all packets scanned by antivirus

av.uri - "URI" of scanned file

av.sha - SHA-256 of scanned file

av.virus - Is virus "Detected" or "Not Detected" in this file

av.clamav - Name of virus from ClamAV database

NOTEs:

If you're not using clamd or you've set unix socket at other address than: /var/run/clamav/clamd.sock you might experience much slower wireshark startup ;-)

TODOs:

Add support for files transferred by other protocols, like DCC (irc/xmpp/...), ftp or nfs.

Implement support for other antiviruses Try to use Virus Total API

WireBrowse

Dependencies: noneFunctionality: Listen at 127.0.0.1:8080 and allow user to use wireshark functionality remotely.WARNING: proof-of-concept, use it only with smaller (< 30 MB) capture files!Features:

Packet List: Display list of packets and details of selected one

Connection List: It's based on Wireshark Statistics->Conversations, but you can quicker get list of packets

BUGs:

Lot of memleaks! It can also leak some file descriptors.

Background of packets is not set if you don't browse to it in GUI (can't be fixed, internal wireshark GUI optimization)

TODOs:

Instead of transmitting large amount of HTML try to use XML or JSON and recreate tables with JavaScript

Make byte view clickable

Wireshark has got IO Graphs, it should be easy to reimplement it with some javascript chart library.